How can I detect a scam email? The 12-point checklist for phishing, spam and co.

Blog Cybersecurity
Pic Source: Unsplash

Who hasn’t experienced it: the email inbox is overflowing and one laboriously clicks through the list of unopened messages. Criminals are hoping for the one moment when concentration wanes and the unwary recipient clicks on the dubious link or infected attachment. Perhaps they will also disclose confidential data?

E-mails are the number one gateway for cyber criminals. Unfortunately, there is no absolute security against viruses and cyber attacks, so it is important to back up your data regularly and store it away from your computer. Do not use the same password for multiple accesses and keep up to date, for example, with the online training and phishing simulations for Perseus customers.

If the email seems suspicious, do not reply, never click on any links included and do not open any attachments included. You alone are the last defense against attacks by criminals, so do not be afraid to contact the sender directly if you are unsure and ask for confirmation that the email has been sent. To do this, do not use the contact details from the e-mail, but those from your address book or from the sender’s official website.

WC have compiled a small checklist for you to use to check your suspicious emails:

1. suspicious subject line

In most cases, you will already notice the first inconsistencies in the subject line. The sender’s wording is different from what you are used to. Perhaps the subject matter is also surprising and you would not have expected that this person/organization would write to you regarding this subjects? Then be alert and check the rest of the email carefully.

Of course, it can also be the case that the subject line is completely inconspicuous and yet a fraud attempt is behind the email.

2. Conspicuous sender address

Have you only received letters from the recipient until now? Or you had no relationship with the sender so far? Something seems strange about the sender’s address? Then take a closer look.

In particular, check the ending of the sender’s address, i.e. the part after the @ sign (e.g. Do the country code (.de / .net / .org / .com) and the domain ( match the usual sender and the official website?

Criminals like to confuse their targets with very similar sender addresses, e.g. or

Unfortunately, however, it is also possible for criminals to credibly forge the sender address. Make sure that your e-mail provider supports a procedure that authenticates the sending server (e.g. DKIM) and thus prevents fake senders from remaining undetected.

You should therefore always listen to your gut feeling and look out for other fraud features. If you cannot dispel your doubts, you should contact the sender directly. Of course, do not use the contact details in the e-mail or simply send a reply, but use information from your address book or visit the official website. In this way, have the sender confirm that the email has been sent.

3. Unusual recipient address

In addition to the sender’s address, check your own recipient address thoroughly. If, for example, you are unexpectedly contacted on your business e-mail address by your private house bank, your personal shopping provider or an old school friend, it could be an attempt at fraud. Always ask yourself why this person or organization should write to this email address.

As a general rule, do not use your professional email address for private purposes. By keeping both mailboxes strictly separate, you reduce the risk of successful cyber-attacks, as criminals have fewer points of entry to manipulate them.

4. No personal salutation

Another indication of a phishing email or similar can be the lack of personalization. If you are addressed with general phrases (e.g. Dear Customer, Dear Sir or Madam), although the sender normally calls you by your first and/or last name, then you should become suspicious.

5. Spelling and grammatical errors

Wrong spelling, grammar or punctuation can also be a feature of fraudulent emails. Often the criminals are not from the recipient country. They then try to translate the whole thing with the help of translation machines or with school language skills. This is often evident in the message.

6. Unusual language

Also listen out if the sender suddenly writes to you in a different language, e.g. English, instead of the usual German. You should also be suspicious if the sender unexpectedly uses different wording (e.g. “Sie” instead of “Du”, colloquial language instead of formal expression) than in previous correspondence and take a closer look at the e-mail.

7. Man-made pressure

Even if the sender puts you under pressure, this can be a sign of criminal intent. The form of the pressure can vary: Time pressure, social pressure, fear of negative consequences, but also positive pressure such as the prospect of a win or a promotion. Typical phrases that should make you sit up and take notice are: Setting a very short deadline, forbidding further consultation with colleagues, threatening legal consequences or inability to work. Do not allow yourself to be pressured and calmly obtain the necessary information.

Example: In a recent case, an employee transferred a large sum of money to an unknown account. He received a – manipulated – e-mail from the company’s managing director. In this email, the employee was asked to transfer the money as soon as possible, but not to call him or inform anyone else in the company, because it was supposedly about a secret company acquisition.

8. Links and attachments (in an unusual context)

You should generally be attentive to included links and attachments. Often you can tell that they are not trustworthy only by small irregularities:


Note whether you recognize the linked domain. To do this, move your mouse pointer over the link, stop (don’t click!) and take a closer look at the link address that is displayed as the destination. Especially if the linked text pretends to be a destination address that differs from an address displayed in the email text, caution is advised. Here is an example you can use to test whether you can tell that the actual destination is different from the link displayed: This link does not point to the address displayed but in fact points to 

You must be just as careful with links that point to pages on which you are then supposed to log in; popular targets are online banking pages, shop pages and payment services such as Paypal. Very common is the claim that you have to confirm your password again to avoid financial losses or similar. Often these login pages are faked or compromised in order to steal your login data. Once opened in the browser, it is sometimes difficult to determine whether you are on the right page. It is safer to open the corresponding pages yourself, e.g. via your saved browser bookmarks.

Another popular trick is to make the recipient believe that the attachment is trustworthy. In reality, however, a supposed file attachment is only a link to a website that tries to infect your computer.
Note that the detection rate of dangerous links by email scanners is significantly lower than the malware detection rate in attachments. Therefore, it does not mean that a link is 100 percent safe if the malware scanner does not find a hint. Perhaps the link is simply still too new or not widespread enough for the link scanner to have noticed it before.

Email attachments

Modern cyber attacks regularly spread via emails that are sent unnoticed on behalf of the infected computers and owners. Often, attachments with the same name and type are sent that have already appeared in the communication with the recipient. Of course, the Perseus email scanner and an up-to-date virus scanner running on the computer can help here.

A trained eye can also help

If you see a file ending with .exe, .html, .vbs, bat, .adp, .cpl, com, .wsc and others, you should be alert. These may be programmes in which malware is hiding.
Office files (doc/.docx/.ppt/.pptx/.xls/xlsx) can also be contaminated with malware because of the macros they contain. It is worth taking a closer look at the sender.
Malware can also be hidden in compressed files (.zip) and videos (.mpg /.avi etc.), which can then implant themselves in your system when opened.
Text files such as .txt and PDFs are usually harmless. However, watch out for software updates from the provider and be attentive to links contained therein.

A prerequisite for observing the above points is that your e-mail program displays all file endings in full. A popular trick is to optically shorten the file extension so that it appears harmless. In the incomplete representation, the file appears as follows “documentA.jpg” – so it looks harmless. In the complete representation, one finally recognizes the threat “DocumentA.jpg.exe”. Whether the extensions of file attachments are displayed depends on the settings of your e-mail program and your operating system.

Even if the Perseus E-mail Scanner does not report a detection – trust your own judgement: If you still have doubts despite a thorough check, it is better to consult the sender again. Do not use the contact details from the e-mail, but those from your address book or the official website. A virus usually does not answer such e-mails and you may even be able to help the sender determine that his computer has been infected.

9. Unusual content Рasking for confidential information 

You are asked for access data by e-mail, the boss asks for a bank transfer from his holiday or you are supposed to confirm a payment with the help of a link? An unexpected jackpot is waiting in your mailbox, an unmediated shipping notification or a sudden speculative application? These can all be signs of a phishing attempt. If something like this has never happened before or other points make you suspicious, then take a closer look at the message and pay particular attention to the above tips on links and attachments. 10.

10. Conspicuous formatting or design

The formatting of the email completely shot up? The design suddenly uses different colors, images and fonts than usual? Then perhaps it is a scam message. Take a closer look at the message.

11. Technical support

Of course, there is also technical support that you can use to scan your e-mails for malware and phishing links – for example, the e-mail scanner from Perseus (test it now for free). But even though the detection rates of most tools are relatively good, you should always take extra precautions.

12. Still unsure? Contact the sender

As mentioned several times before: trust your mistrust. There is no such thing as 100 per cent security through technology. With the rapid development of phishing sites and malware, the databases of email and virus scanners cannot always be up to date.

You should therefore not be afraid of embarrassing yourself and trust your gut feeling. Investigate and, if necessary, contact the sender directly. Use the information from your address book or from an official website. Everyone will forgive you for taking this precaution.